Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages.

The logging levels in descending order are:

emergency: The unit is unusable.

alert: Immediate action is required.

critical: Functionality is affected.

error: Functionality is probably affected.

warning: Functionality might be affected.

notification: Information about normal events.

information: General information about unit operations.

debug: Information used for diagnosis or debugging.

Default: alert

max-log-file-size <integer>

Enter the size at which the log is rolled. Default: 100. Range: 1 to 1024 (MB)

roll-schedule {none | daily | weekly}

Enter the period for the scheduled rolling of a log file. If roll-schedule is none, the log rolls when max-log-file-size is reached. The following options are available:

none: Not scheduled.

daily: Every day.

weekly: Every week.

Default: none

roll-day <string>

Enter the day for the scheduled rolling of a log file.

roll-time <hh:mm>

Enter the time for the scheduled rolling of a log file.

diskfull {nolog | overwrite}

Enter action to take when the disk is full:

nolog: stop logging

overwrite: overwrites oldest log entries

Default: overwrite

log-disk-full-percentage <integer>

Enter the percentage at which the log disk will be considered full (50-90%).

upload {disable | enable}

Enable to permit uploading of logs. Default: disable

uploadip <ipv4_address>

Enter IPv4 address of the destination server. Default: 0.0.0.0

server-type {FAZ | FTP | SCP | SFTP}

Enter the server type to use to store the logs. The following options are available:

FAZ: Upload to FortiAnalyzer.

FTP: Upload via FTP.

SCP: Upload via SCP.

SFTP: Upload via SFTP.

uploadport <integer>

Enter the port to use when communicating with the destination server. Default: 21. Range: 1 to 65535

uploaduser <string>

Enter the user account on the destination server.

uploadpass <passwd>

Enter the password of the user account on the destination server. Character limit: 127

uploaddir <string>

Enter the destination directory on the remote server.

uploadtype <event>

Enter to upload the event log files. Default: event

uploadzip {disable | enable}

Enable to compress uploaded log files. Default: disable

uploadsched {disable | enable}

Enable to schedule log uploads. The following options are available:

disable: Upload when rolling.

enable: Scheduled upload.

upload-time <hh:mm>

Enter to configure when to schedule an upload.

upload-delete-files {disable | enable}

Enable to delete log files after uploading. Default: enable

Example

In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.

config system locallog disk setting

set status enable

set severity information

set max-log-file-size 1000MB

set roll-schedule daily

set upload enable

set uploadip 10.10.10.1

set uploadport port 443

set uploaduser myname2

set uploadpass 12345

set uploadtype event

set uploadzip enable

set uploadsched enable

set upload-time 06:45

set upload-delete-file disable

end

locallog filter

Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Enter the severity threshold that a log message must meet or exceed to be logged to the unit. The following options are available:

emergency: The unit is unusable.

alert: Immediate action is required.

critical: Functionality is affected.

error: Functionality is probably affected.

warning: Functionality might be affected.

notification: Information about normal events (default).

information: General information about unit operations.

debug: Information used for diagnosis or debugging.

status {disable | realtime |
upload}

Set the log to FortiAnalyzer status:

disable: Do not log to FortiAnalyzer (default).

realtime: Log to FortiAnalyzer in realtime.

upload: Log to FortiAnalyzer at a scheduled time.

upload-time <hh:mm>

Set the time to upload local log files (default = 00:00).

Example

You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit.

config system locallog fortianalyzer setting

set status enable

set severity information

end

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Enter the facility type. facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiAnalyzer units so you can determine the source of the log messages. Available facility types are:

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert, and emergency level messages.

The logging levels in descending order are:

emergency: The unit is unusable.

alert: Immediate action is required.

critical: Functionality is affected.

error: Functionality is probably affected.

warning: Functionality might be affected.

notification: Information about normal events.

information: General information about unit operations.

debug: Information used for diagnosis or debugging.

status {enable | disable}

Enter enable to begin logging. The following options are available:

disable: Do not log to remote syslog server.

enable: Log to remote syslog server.

syslog-name <string>

Enter the remote syslog server name.

Use the show command to display the current configuration if it has been changed from its default value:

show system locallog syslogd setting

Example

In this example, the logs are uploaded to a syslog server at IPv4 address 10.10.10.8. The FortiAnalyzer unit is identified as facility local0.

config system locallog syslogd setting

set facility local0

set server 10.10.10.8

set status enable

set severity information

end

locallog

Use the following commands to configure local log settings.

locallog setting

Use this command to configure locallog logging settings.

Syntax

config system locallog setting

set log-interval-dev-no-logging <integer>

set log-interval-disk-full <integer>

set log-interval-gbday-exceeded <integer>

end

Variable

Description

log-interval-dev-no-logging <integer>

Interval in minute for logging the event of no logs received from a device.
Default: 5.

log-interval-disk-full <integer>

Interval in minute for logging the event of disk full.
Default: 5.

log-interval-gbday-exceeded <integer>

Interval in minute for logging the event of the GB/Day license exceeded.
Default: 1440.

locallog disk setting

Use this command to configure the disk settings for uploading log files, including configuring the severity of log levels.

status must be enabled to view diskfull, max-log-file-size and upload variables.

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert and emergency level messages.

The logging levels in descending order are:

emergency: The unit is unusable.

alert: Immediate action is required.

critical: Functionality is affected.

error: Functionality is probably affected.

warning: Functionality might be affected.

notification: Information about normal events.

information: General information about unit operations.

debug: Information used for diagnosis or debugging.

Default: alert

max-log-file-size <integer>

Enter the size at which the log is rolled. Default: 100. Range: 1 to 1024 (MB)

roll-schedule {none | daily | weekly}

Enter the period for the scheduled rolling of a log file. If roll-schedule is none, the log rolls when max-log-file-size is reached. The following options are available:

none: Not scheduled.

daily: Every day.

weekly: Every week.

Default: none

roll-day <string>

Enter the day for the scheduled rolling of a log file.

roll-time <hh:mm>

Enter the time for the scheduled rolling of a log file.

diskfull {nolog | overwrite}

Enter action to take when the disk is full:

nolog: stop logging

overwrite: overwrites oldest log entries

Default: overwrite

log-disk-full-percentage <integer>

Enter the percentage at which the log disk will be considered full (50-90%).

upload {disable | enable}

Enable to permit uploading of logs. Default: disable

uploadip <ipv4_address>

Enter IPv4 address of the destination server. Default: 0.0.0.0

server-type {FAZ | FTP | SCP | SFTP}

Enter the server type to use to store the logs. The following options are available:

FAZ: Upload to FortiAnalyzer.

FTP: Upload via FTP.

SCP: Upload via SCP.

SFTP: Upload via SFTP.

uploadport <integer>

Enter the port to use when communicating with the destination server. Default: 21. Range: 1 to 65535

uploaduser <string>

Enter the user account on the destination server.

uploadpass <passwd>

Enter the password of the user account on the destination server. Character limit: 127

uploaddir <string>

Enter the destination directory on the remote server.

uploadtype <event>

Enter to upload the event log files. Default: event

uploadzip {disable | enable}

Enable to compress uploaded log files. Default: disable

uploadsched {disable | enable}

Enable to schedule log uploads. The following options are available:

disable: Upload when rolling.

enable: Scheduled upload.

upload-time <hh:mm>

Enter to configure when to schedule an upload.

upload-delete-files {disable | enable}

Enable to delete log files after uploading. Default: enable

Example

In this example, the logs are uploaded to an upload server and are not deleted after they are uploaded.

config system locallog disk setting

set status enable

set severity information

set max-log-file-size 1000MB

set roll-schedule daily

set upload enable

set uploadip 10.10.10.1

set uploadport port 443

set uploaduser myname2

set uploadpass 12345

set uploadtype event

set uploadzip enable

set uploadsched enable

set upload-time 06:45

set upload-delete-file disable

end

locallog filter

Use this command to configure filters for local logs. All keywords are visible only when event is enabled.

Enter the severity threshold that a log message must meet or exceed to be logged to the unit. The following options are available:

emergency: The unit is unusable.

alert: Immediate action is required.

critical: Functionality is affected.

error: Functionality is probably affected.

warning: Functionality might be affected.

notification: Information about normal events (default).

information: General information about unit operations.

debug: Information used for diagnosis or debugging.

status {disable | realtime |
upload}

Set the log to FortiAnalyzer status:

disable: Do not log to FortiAnalyzer (default).

realtime: Log to FortiAnalyzer in realtime.

upload: Log to FortiAnalyzer at a scheduled time.

upload-time <hh:mm>

Set the time to upload local log files (default = 00:00).

Example

You might enable remote logging to the FortiAnalyzer unit configured. Events at the information level and higher, which is everything except debug level events, would be sent to the FortiAnalyzer unit.

config system locallog fortianalyzer setting

set status enable

set severity information

end

locallog memory setting

Use this command to configure memory settings for local logging purposes.

Enter the facility type. facility identifies the source of the log message to syslog. Change facility to distinguish log messages from different FortiAnalyzer units so you can determine the source of the log messages. Available facility types are:

Select the logging severity level. The FortiAnalyzer unit logs all messages at and above the logging severity level you select. For example, if you select critical, the unit logs critical, alert, and emergency level messages.

The logging levels in descending order are:

emergency: The unit is unusable.

alert: Immediate action is required.

critical: Functionality is affected.

error: Functionality is probably affected.

warning: Functionality might be affected.

notification: Information about normal events.

information: General information about unit operations.

debug: Information used for diagnosis or debugging.

status {enable | disable}

Enter enable to begin logging. The following options are available:

disable: Do not log to remote syslog server.

enable: Log to remote syslog server.

syslog-name <string>

Enter the remote syslog server name.

Use the show command to display the current configuration if it has been changed from its default value:

show system locallog syslogd setting

Example

In this example, the logs are uploaded to a syslog server at IPv4 address 10.10.10.8. The FortiAnalyzer unit is identified as facility local0.